Disabling aging for mac-based vlan sessions, Globally disabling aging, For blocked hosts – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

For blocked hosts

For blocked hosts, as long as the Brocade device is receiving traffic, aging does not occur. In the
output of the show table-mac-vlan command, the age column displays H0 to H70, S0, and H0 to
H70, etc. Aging of the MAC-based VLAN MAC occurs in two phases: hardware aging and software
aging. The hardware aging period can be configured using the mac-authentication hw-deny-age
command in config mode. The default is 70 seconds. The software aging time for MAC-based VLAN
MACs can be configured using the mac-authentication max-age command. When the Brocade
device is no longer receiving traffic from a MAC-based VLAN MAC address, the hardware aging
period begins and lasts for a fixed length of time (default or user-configured). When the hardware
aging period ends, the software aging period begins. The software aging period lasts for a
configurable amount of time (the default is 120 seconds). After the software aging period ends, the
MAC-based VLAN session is flushed, and the MAC address can be authenticated or denied if the
Brocade device again receives traffic from that MAC address.

For MAC-based dynamic activation

If all of the sessions age out on a port, the port is dynamically removed from the VLAN table. When
any new session is established, the port is dynamically added back to the VLAN table.

NOTE
If the Brocade device receives a packet from an authenticated MAC address, and the MAC-based
VLAN software aging is still in progress (hardware aging has already occurred), a RADIUS message is
NOT sent to the RADIUS server. Instead the MAC address is reentered in the hardware along with the
parameters previously returned from the RADIUS server. A RADIUS message is sent only when the
MAC-based VLAN session ages out from the software.

To change the length of the software aging period

To change the length of the software aging period for blocked MAC addresses, enter a command such
as the following.

device(config)#mac-authentication max-age 180

Syntax: [no] mac-authentication max-age seconds

You can specify from 1 - 65535 seconds. The default is 120 seconds.

Disabling aging for MAC-based VLAN sessions

MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no traffic
is received from the MAC address for a certain period of time.

You can optionally disable aging for MAC-based VLAN session subject to authentication, either for all
MAC addresses or for those learned on a specified interface.

Globally disabling aging

On most devices, you can disable aging on all interfaces where MAC-based VLAN has been enabled,
by entering the following command.

device(config)#mac-authentication disable-aging

Syntax: mac-authentication disable-aging

Disabling aging for MAC-based VLAN sessions

234

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03